chg: [security] Enable CSRF globally.

cve-search · Jul 14, 2024 · 2caab56 · 2caab56
1 parent 3cdafce
commit 2caab56
Showing 1 changed file with 38 additions and 3 deletions.
diff --git a/website/web/bootstrap.py b/website/web/bootstrap.py
@@ -4,14 +4,17 @@
 import logging
 import logging.config
 import os
+import re
+import uuid
 from datetime import datetime
 from flask import Flask
 from flask_bootstrap import Bootstrap5  # type: ignore[import-untyped]
 from flask_migrate import Migrate  # type: ignore[import-untyped]
 from flask_sqlalchemy import SQLAlchemy
-from logging.config import dictConfig
+from flask_wtf.csrf import CSRFProtect
+from werkzeug.routing import BaseConverter
+from werkzeug.routing import ValidationError
 
-from vulnerabilitylookup.default import get_config
 from vulnerabilitylookup.vulnerabilitylookup import VulnerabilityLookup
 from website import BASE_DIR
 from website.web.helpers import sri_load
@@ -55,13 +58,17 @@ def set_logging(
 
 Bootstrap5(application)
 
+# Database and migration
 db = SQLAlchemy(application)
 migrate = Migrate(application, db, directory="website/migrations")
 
+# Enable CSRF protection globally
+csrf = CSRFProtect(application)
+
 vulnerabilitylookup: VulnerabilityLookup = VulnerabilityLookup()  # type: ignore[unused-ignore]
 
 
-# ##### Global methods passed to jinja
+# ##### Global methods passed to Jinja
 
 
 def get_sri(directory: str, filename: str) -> str:
@@ -87,3 +94,31 @@ def hash(value: str) -> str:
 
 application.jinja_env.filters["datetimeformat"] = datetimeformat
 application.jinja_env.filters["hash"] = hash
+
+
+# URL Converters
+UUID_RE = re.compile(r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$")
+
+
+class UUIDConverter(BaseConverter):
+    """
+    UUID converter for the Werkzeug routing system.
+    """
+
+    def __init__(self, map, strict=True):
+        super().__init__(map)
+        self.strict = strict
+
+    def to_python(self, value):
+        if self.strict and not UUID_RE.match(value):
+            raise ValidationError()
+        try:
+            return uuid.UUID(value)
+        except ValueError:
+            raise ValidationError()
+
+    def to_url(self, value):
+        return str(value)
+
+
+application.url_map.converters["uuid"] = UUIDConverter